SlowMist Identifies SafeMath Library In Market Contract As Core Cause Of zkLend’s $9.5M Exploit

by
Alisa Davidson

Printed: February 12, 2025 at 9:19 am Up to date: February 12, 2025 at 9:21 am

by Ana

Edited and fact-checked:
February 12, 2025 at 9:19 am

To enhance your local-language expertise, typically we make use of an auto-translation plugin. Please observe auto-translation might not be correct, so learn unique article for exact data.

Blockchain safety agency SlowMist has disclosed that its safety crew recognized a crucial vulnerability on the core of the latest assault on zkLend, a Layer 2 cash market protocol constructed on Starknet. The agency attributes the problem to the implementation of the safeMath library throughout the market contract.

In response to SlowMist, the vulnerability arises from the way in which division calculations are dealt with. The contract performs direct division operations, resulting in a rounding-down vulnerability when figuring out the exact quantity of zTokens that have to be burned throughout withdrawal operation. This flaw creates a possibility for attackers to use the discrepancy and achieve unauthorized advantages.

In response to the findings, SlowMist has suggested zkLend customers to stay vigilant concerning the safety of their belongings. The agency recommends briefly refraining from conducting deposit-related transactions on the platform to mitigate the chance of potential monetary losses.

zkLend skilled a $9.5 million exploit on the Starknet community earlier right now. In response, withdrawals on the protocol have been paused, and zkLend reached out to the hacker, providing them a “white hat” reward of 10% of the stolen funds whereas requesting the return of the remaining 90%, which quantities to three,300 ETH, roughly $8.4 million.

In an announcement shared on social media platform X, zkLend stated, “Upon receiving the switch, we conform to launch you from any and all legal responsibility relating to the assault. We’re working with safety companies and regulation enforcement at this stage. If we don’t hear from you by 00:00 UTC, 14th Feb 2025, we are going to proceed with the subsequent steps to trace and prosecute you.”

Actual-time safety alert platform Cyvers Alerts reported that the stolen funds have been bridged to Ethereum and laundered by way of the privacy-focused protocol Railgun.

What Is zkLend?

zkLend goals to supply a user-friendly, safe, and environment friendly money-market platform tailor-made to satisfy customers’ liquidity wants. The protocol is a permissionless lending market designed primarily for retail customers, permitting them to deposit and borrow digital belongings immediately by way of their wallets at any time. Depositors can earn yields primarily based on the curiosity paid by debtors who make the most of the deposited belongings. Moreover, customers can leverage their deposited belongings as collateral to borrow different digital belongings.

The challenge raised $5 million in a seed funding spherical in 2022, with Delphi Digital main the funding and Three Arrows Capital and StarkWare additionally taking part.

About The Creator

Alisa, a devoted journalist on the MPost, makes a speciality of cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a eager eye for rising developments and applied sciences, she delivers complete protection to tell and interact readers within the ever-evolving panorama of digital finance.

Extra articles

Alisa Davidson

Alisa, a devoted journalist on the MPost, makes a speciality of cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a eager eye for rising developments and applied sciences, she delivers complete protection to tell and interact readers within the ever-evolving panorama of digital finance.

Extra articles